Koobface on Facebook: How Malicious Contents Sneak Into Social Networking

Koobface on Facebook: How malicious contents sneak into social networking

Mohammad Reza Faghani

Outline

 Introduction

 Trend of Web malware

 Social networks malware

 What is XSS !?

 Potentials of XSS Worms

 Social Networks

 XSS worm propagation

 ClickJacking malware propagation

 Trojan malware propagation

 Summarizing the results from various studies

 Recent study results

 Our proposed scheme for malware detection

 Conclusion

Introduction

 Four key threats to consider

 Spam

 Bugs

 Denial of Service

 Malicious Software (malware)

 Propagate via Spam Viruses, Worms, Trojans, SpyWare  Exploits bugs ScareWare, …

 Mount DOS

Introduction (cont.)

 Why is malware so important to study?

 Privacy and security issues

 Cyber War

  Stuxnet, Predator Drone

 ISPs struggle under virus generated traffic

 Cyber Criminals make a lot of money

 Hidden costs

 Reputation Introduction (cont.)

 Malware is propagated via

 Email

 P2P networks

 Vulnerable OS services

 Mobile phones

 Web

 Can even be Hybrid Trends of Web malware

 Web malware

 Most people frequently use Web

 Population of the victims are much larger than other types of malware.

 Social networks are popular among people

 No barriers for web users

 Malware writers prefer to exploit Web users Suppose each active user has on average  80% of web servers have critical vulnerabilities such as XSS (will128kbps discuss of bandwidth,XSS later) potential of 10 percent of active users is :  Aggregated traffic80Mx128kbps= of the web 10 users’ Tbps browser would be huge Social networks malware

 Samy could affect 1200000 over 1 million people Code Red I 1000000 1000000 Code Red II in less that 20 hours. Slammer 800000 Blaster  MySpace was the Samy first but : 600000

 Sina, July 2011 400000 359000 336000 275000  FB on March 29, 2011 200000  ClickJacking types 55000

 Almost everyday 0

 Twitter on Sep. 2010

 …

Propagation of a Malware Why studying malware ?

 To have a better understanding of propagation behaviors

 Damage assessment

 Providing enough traffic to avoid Denial of Service

 Detecting the weaknesses of spreading

 How we can counter-measure in the best way

Social networks malware

 We can consider three main types of social networks malware attacks:

 XSS worms

 e.g. Samy

 Trojans

 e.g. Koobface

 ClickJacking types

 Forced like

 Can lead to DriveByDownloads malware What is XSS !?

 Cross Site Scripting (XSS) is a common vulnerability in web applications.

 Has two types:

 Reflected

 Stored Reflected XSS

 Application reflects exactly what it gets from the user.

 user may inject a harmful script Stored XSS

 Attacker stores a harmful script in the application database for further exploitation.

 Comments

 Forum talks

 FB Wall XSS + AJAX = w0rm

 XSS threat becomes more noticeable due to the combination of HTML and AJAX technology.

 AJAX allows browsers to issue HTTP requests on behalf of the user.

 No need for the attacker to deceive the victim to click on a special crafted link!

XSS worm propagation

 XSS worm propagation consists of the following two steps:

 Download

 A visitor downloads (views) an infected profile and automatically executes the JavaScript payload.

 Propagation

 The payload is extracted from the contents of the profile being viewed and then added to the viewer’s profile. ClickJacking Worm Propagation

Unwittingly clicking on a hidden like button

and more friends get infected… Trojan Propagation

Then they post a similar link on the victim’s profile or send private messages to friends of the victim containing the malicious link.

Sometimes, they ask you to download the appropriate decoder to play the movie, which is indeed the Trojan itself. Research on OSN malware

 Three main papers on OSN malware propagation (in chronological order):

 [1] Faghani M. R., Saidi H., “Malware Propagation in Online Social networks”, Malware09, Montreal, 2009.

 [2] W. Xu, F. Zhang, and S. Zhu., “Toward worm detection in online social networks”, (ACSAC), 2010.

 [3] Guanhua Y., Guanling . And et al. , “Malware Propagation in Online Social Networks: Nature, Dynamics, and Defense Implications, (ASIACCS'11), March 2011.

Result Summary (from simulations)

 Social network structure itself slows down the worm propagation.

10000 9000

8000 Random (q=0.9) Small World (q=0.9) 7000

6000

5000

4000

3000

Total Number of Infected profiles 2000

1000

0.5 1 1.5 2 2.5 3 5 Number of Visits x 10 Result summary (cont.)

 User activities play an important role. 10000 9000 q=1 8000 q=0.9 q=0.7 7000 q=0.5 q=0.3 6000 q=0.1

5000

4000

3000

Total Numer of Infected profiles 2000

1000

0.5 1 1.5 2 2.5 3 3.5 4 5 NumberNumbe of Visitsvisits x 10 Result summary (cont.)

 Trojan type spreads faster than XSS

10000

9000

8000 XSS Koobface, p=0.5 7000 Koobface, p=0.7

6000

5000

4000

3000

Total Number of Infected profiles 2000

1000

0 0 0.2 0.4 0.6 0.8 1 1.2 1.4 1.6 1.8 2 4 Times in minutes x 10 Result summary (cont.)

 Effect of Clustering coefficient is linear 5 x 10 1.75

1.7

1.65

1.6

1.55

1.5 Time required to have the whole population infected 0.1 0.105 0.11 0.115 0.12 0.125 0.13 0.135 0.14 0.145 0.15 Clustering Coefficent Result summary (cont.)

 Effect of Infection Probability is exponential 5 x 10 10

Time required to have the whole population infected 1 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1 Probability of Executing the malware Recent Results (1)

 Considering cliques

 Those who have common interests create a group. 10000 A1 w ith 1 Clique 9000 C w ith 1 Clique A1 w ith 2 Cliques 8000 C w ith 2 Cliques 7000 6000

5000

4000

3000 Total Number of Infected

2000

1000

0 0 0.2 0.4 0.6 0.8 1 1.2 1.4 1.6 1.8 2 5 Total Number of Visits x 10 Recent Results (2)

 Considering overlapping cliques:

10000

9000 2 Cliques + 1 Common Clique 3 Cliques 8000 3 Cliques + 1 Common Clique 4 Cliques 7000

6000

5000

4000

3000 Total Number of Infected

2000

1000

0 0 0.2 0.4 0.6 0.8 1 1.2 1.4 1.6 1.8 2 5 Total Number of Visits x 10 Proposed Defense System

 Identify big cliques

 Among them distinguish those users who are connected to different cliques.

 Implement decoy friends or other detection mechanisms to detect malicious behaviors.

 It is more efficient than current Facebook classifier system. Conclusion

 User relationship structure plays an important role in malware propagation.

 User activities affect speed of propagation.

 Propagation of XSS types is slower than that of Trojan types.

 A new defense mechanism can be built using OSN graph topology. Acknowledgement

 Thank you

 Any Question ?